PARIS -- The Internet went crazy last week over what was described in
hyperventilating tweets as NATO's plan to kill hackers. "NATO-Commissioned
Report Says Killing Hackers Is Basically OK," blared one tech blog headline,
nicely reinforcing the paranoia. That makes it sound as if the governments
of NATO countries are looking for any excuse to vaporize anyone with a
computer, doesn't it? The more irrationally jumpy among us might imagine
that these governments are just waiting for the guy beside us at the local
Starbucks to fire up his iPad so they can finally have the excuse to wipe
out an entire city block.

The U.S. Cyber Command at Fort Meade, Maryland, didn't just spring up out of
nowhere in 2010 in some nefarious post-9/11 plot to quash civil liberties as
aggressively as it apparently robs the common sense of those prone to
self-absorbed fantasies. Cyber-warfare parameters have been an extremely
long time coming.

After three years of work, a group of international experts with NATO's
Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia, has just
released "The Tallinn Manual on the International Law Applicable to Cyber
Warfare." It's an attempt to adapt and apply international law to the cyber
realm. Here's what you need to know about this proposed cyber-warfare
framework, which does not yet constitute official policy -- although you'd
never know it from all the whining echoing through cyberspace.

--NATO experts were divided on whether a single guy hacking
catastrophically into a country's systems could trigger a retaliatory
attack. However, citing NATO and U.N. Security Council resolutions that
followed in the wake of the 9/11 attacks, they determined that a group of
hackers outside of state direction could trigger a self-defensive
counterattack if the initial hit was significant enough (in other words, if
an attack caused serious harm to people, property or critical
infrastructure). They also extended this provision to any attacks launched
by Internet service providers or technology companies.

-- A hacker acting on behalf of a state could trigger proportionate
retaliation if the initial attack is equal in scale and effect to a
traditional warfare "use of force."

-- Psychological operations, disinformation and other "ruses of war" don't
meet the threshold for a defensive response -- much like when the hacker
collective Anonymous recently claimed to have hacked the information systems
of Israel's Mossad spy agency, with Mossad claiming that it was just a ruse.

-- There would be no geographical limit to the target nation's retaliation
in rooting out the attacker(s). Good. Why should there be?

-- Within the context of any ongoing exchanges of hostilities, a hack attack
has to be proportional. Moreover, it must be limited to military
infrastructure and personnel and any civilians directly involved in the
hostilities. If a hacker targets something that serves both military and
civilian use, then it's considered a military hit by default, legitimizing
the use of retaliatory force.

-- Hackers are not permitted to tweet specific cyber-threats with the
intention of terrorizing civilians, but crying wolf about a perceived danger
that happens to cause panic is OK. "OMG THE JUSTIN BIEBER CONCERT IS
CANCELED" won't get you NATO-bombed.

-- You're not allowed to cause civilians to starve or die of thirst with
your hacking. Emptying all the Fritos from the shelves of the local
supermarket to fuel your 24/7 hacking activities is excluded.

-- Cyber-espionage gets a pass as long as you don't do it in enemy
territory, in which case you'll be treated as a spy in accordance with the
laws of the land, and perhaps even killed. That is, if you're not worth
torturing first to extract information.

-- Cyber-espionage of private companies in other countries has nothing to do
with NATO. Economic warfare (a no less important threat) will have to be
handled through different channels.

Bottom line: Your attempts to hack the McDonald's gift card system to score
a million Big Macs won't get you bombed by NATO. So relax, dude.